f8a1d7977c
which will now have IPFilter 4.1.34. IPFilter 5.1.1 will be restored post-branch. ok: core, releng.
99 lines
2.9 KiB
Plaintext
99 lines
2.9 KiB
Plaintext
BUGS:
|
|
-----
|
|
* fix "to <ifname>" bug on FreeBSD 2.2.8
|
|
fastroute works
|
|
|
|
===============================================================================
|
|
GENERAL:
|
|
--------
|
|
|
|
* support redirection like "rdr tun0 0/32 port 80 ..."
|
|
|
|
* use fr_tcpstate() with NAT code for increased NAT usage security or even
|
|
fr_checkstate() - suspect this is not possible.
|
|
|
|
* add another alias for <thishost> for interfaces <thisif>? as well as
|
|
all IP#'s associated with the box <myaddrs>?
|
|
|
|
time permitting:
|
|
|
|
* load balancing across interfaces
|
|
|
|
* record buffering for TCP/UDP
|
|
|
|
* modular application proxying
|
|
-done
|
|
|
|
* allow multiple ip addresses in a source route list for ipsend
|
|
|
|
* port IP Filter to Linux
|
|
Not in this century.
|
|
|
|
* document bimap
|
|
|
|
* document NAT rule order processing
|
|
|
|
* add more docs
|
|
in progress
|
|
|
|
3.4:
|
|
XDDD. I agree. Bandwidth Shapping and QoS (Quality of Service, AKA
|
|
traffic priorization) should be *TOP* in the TO DO list.
|
|
|
|
* Bandwidth limiting!!!
|
|
maybe for solaris, otherwise "ALTQ"
|
|
* More examples
|
|
* More documentation
|
|
* Load balancing features added to the NAT code, so that I can have
|
|
something coming in for 20.20.20.20:80 and it gets shuffled around between
|
|
internal addresses 10.10.10.1:8000 and 10.10.10.2:8000. or whatever.
|
|
- done, stage 1 (round robin/split)
|
|
The one thing that Cisco's PIX has on IPF that I can see is that
|
|
rewrites the sequence numbers with semi-random ones.
|
|
- done
|
|
|
|
I would also love to see a more extensive NAT. It can choose to do
|
|
rdr and map based on saddr, daddr, sport and dport. (Does the kernel
|
|
module already have functionality for that and it just needs support in
|
|
the userland ipnat?)
|
|
-sort of done
|
|
|
|
* intrusion detection
|
|
detection of port scans
|
|
detection of multiple connection attempts
|
|
|
|
* support for multiple log files
|
|
i.e. all connections to ftp and telnet logged to
|
|
a seperate log file
|
|
|
|
* multiple levels of log severity with E-mail notification
|
|
of intrusion alerts or other high priority errors
|
|
|
|
* poison pill facility
|
|
after detection of a port scan, start sending back
|
|
large packets of garbage or other packets to
|
|
otherwise confuse the intruder (ping of death?)
|
|
|
|
IPv6:
|
|
-----
|
|
* NAT is yet not available, either as a null proxy or address translation
|
|
|
|
BSD:
|
|
* "to <if>" and "to <if>:<ip>" are not supported, but "fastroute" is.
|
|
|
|
Solaris:
|
|
* "to <if>:<ip>" is not supported, but "fastroute" is and "to <if>" are.
|
|
|
|
Tru64:
|
|
------
|
|
* IPv6 checksum calculation for RST's and ICMP packets is not done (there
|
|
are routines in the Tru64 kernel to do this but what is the interface?)
|
|
|
|
does bimap allow equal sized subnets?
|
|
|
|
make return-icmp 'intelligent' if no type is given about what type to use?
|
|
|
|
reply-to - enforce packets to pass through interfaces in particular
|
|
combinations - opposite to "to", set reverse path interface
|
|
|